← All terms
SSH Key Management

What is SSH Key Management?

SSH key management is the discovery, control and rotation of the SSH keys that grant server access — credentials that never expire unless someone makes them.

Last updated: 14 July 2026

How SSH keys grant access

SSH keys are cryptographic key pairs used instead of passwords for logging into Linux and Unix systems, network devices and code repositories. The private key stays with the user or application; the public key is placed in an authorized_keys file on every server that should accept it. Whoever holds the private key gets in — no password prompt, and in most default setups, no expiry date.

That convenience is exactly the management problem. Any user can mint new key pairs and distribute public keys without involving IT, so over years an environment accumulates thousands of keys: keys of departed employees, keys shared between teams, keys copied into automation scripts, and keys granting root that nobody remembers creating.

Why unmanaged keys are dangerous

Unlike passwords, SSH keys are rarely covered by expiry policies, MFA or offboarding checklists. A private key copied to a laptop before an employee left still opens production servers years later. Keys also chain: a compromised server may hold private keys that open further servers, letting attackers traverse an estate silently along trust relationships that no one has mapped.

Audits repeatedly find that organizations cannot answer basic questions — which keys exist, what they grant, who holds the private halves and when they were last used. Compliance frameworks that require credential lifecycle control apply to keys just as much as passwords, but keys are far easier to overlook because they live in scattered files rather than a directory.

Managing SSH keys in practice

A key management program starts with an inventory: scanning servers for authorized_keys entries and private key files, mapping which keys open which accounts, and removing orphans. Policy follows — approved key algorithms and lengths, mandatory passphrases, a ban on shared keys, and rotation schedules for the keys that remain.

The strongest pattern removes standing keys altogether: administrators authenticate to a PAM gateway with their personal identity and MFA, and the gateway holds or injects the server credential for the session. Monopam applies this model by vaulting SSH credentials and opening recorded, browser-based SSH sessions, so private keys never need to live on user laptops at all.

Frequently asked questions

Are SSH keys safer than passwords?
Cryptographically, yes — a key cannot be guessed or phished the way a password can. Operationally, often no: keys never expire by default, are trivially copied, and usually bypass MFA and central logging. A well-managed key beats a password; an unmanaged key sprawl can be worse than well-rotated passwords.
How often should SSH keys be rotated?
There is no universal mandate, but common practice is rotating high-privilege keys at least annually, immediately upon staff departure or suspected exposure, and whenever a key changes hands. Many teams sidestep the question by moving to short-lived certificates or gateway-brokered access, where no long-lived key exists to rotate.
What are SSH certificates and do they replace key management?
SSH certificates are keys signed by a trusted certificate authority with a built-in expiry, often just hours. They eliminate the unbounded-lifetime problem and simplify trust, but they move the burden to protecting the CA and issuing pipeline. They reduce, rather than remove, the need for key governance.